Bandit Level 19 → Level 20

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

Looking at the home directory, we see a file bandit20-do is created by bandit20 and accessible by bandit19. The permission of the file is rws. The s permission means when the file is executed, it will run with the permission of the owner.

-rwsr-x--- 1 bandit20 bandit19 7237 Jun 6 2013 bandit20-do

Since the owner is bandit20, we can try to run this and use the elevated permission to look at the next password as well. Just running it tell us we can run a command.

Run a command as another user.
 Example: ./bandit20-do id

In this case, let’s cat the password file and find out the next password for bandit20.

./bandit20-do cat /etc/bandit_pass/bandit20

Additional References: